Exploring keycloak instead of dex

[Abhishek627]

Hi !

I see dex is coupled with grafana and metalk8s-ui and also used with kubernetes API. So, if I want to replace it with keycloak, how loosely/tightly coupled is it ? Would replacing the static user created in dex with one in keycloak work (assuming nginx ingress and routing modifications inplace) or am I missing some use case here?

Thank you !

[NicolasT]

Hello!

Indeed, MetalK8s includes Dex as an OIDC provider or bridge. Coincidentally, we're integrating Keycloak with the product we build around MetalK8s, so it's definitely feasible. We decided, however, not to include Keycloak with MetalK8s because it adds a database dependency, and we try to keep MetalK8s as simple and versatile as possible.

You could indeed remove Dex from your cluster and reconfigure all services to authenticate with Keycloak directly (keep in mind, however, these changes could be overwritten when upgrading the system). Another alternative is to keep Dex and configure its OIDC Connector, which is then backed by Keycloak. You can reconfigure Dex using the 'service customization' functionality part of MetalK8s, see Dex Default Configuration and Dex Configuration Customization.

Hope this answers your question.

[Abhishek627]

Hello @NicolasT !

Thank you ! Yes, this answers the question perfectly. Just curious, in your product, have you replaced dex completely or decided to keep both ?

[NicolasT]

I'll let @gdemonet and @JBWatenbergScality answer 😊

[gdemonet]

The decision is not final yet, but for now, we are keeping Dex in the picture, for multiple reasons:

• Dex is less likely to fail than Keycloak, as it does not rely on a database, so it gives us (through the staticPasswords configuration) a backdoor if one needs to troubleshoot from a UI
• Deployment is simpler, because MetalK8s does not (yet) allow for configuring an alternative OIDC provider to replace Dex - all we have to do is configure a Dex OIDC connector to point to Keycloak (as @NicolasT explained above)

This may evolve in the future, especially if we manage to provide SSO across control and workload planes (in which case we may need to only use Keycloak, since a Dex-minted token cannot be validated by Keycloak).

[Abhishek627]

Thank you for the clarification @gdemonet . This helped a lot.